Annotation of loncom/lcuserdel, revision 1.9

1.1       harris41    1: #!/usr/bin/perl
                      2: #
                      3: # lcuserdel
                      4: #
                      5: # Scott Harrison
1.4       harris41    6: # SH: October 27, 2000
                      7: # SH: October 28, 2000
1.5       harris41    8: # SH: October 29, 2000
1.1       harris41    9: 
                     10: use strict;
                     11: 
1.2       harris41   12: # This script is a setuid script (chmod 6755) that should
1.1       harris41   13: # be run by user 'www'.  It DOES NOT delete directories.
                     14: # All it does is remove a user's entries from
                     15: # /etc/passwd, /etc/groups, and /etc/smbpasswd.
1.5       harris41   16: # It also disables user directory access by making the directory
                     17: # to be owned by user=www (as opposed to the former "username").
                     18: # This command only returns an error if it is
                     19: # invoked incorrectly (by passing bad command-line arguments, etc).
1.1       harris41   20: 
1.3       harris41   21: # This script works under the same process control mechanism
                     22: # as lcuseradd and lcpasswd, to make sure that only one of these
                     23: # processes is running at any one time on the system.
1.1       harris41   24: 
                     25: # Standard input usage
                     26: # First line is USERNAME
                     27: 
                     28: # Command-line arguments [USERNAME]
                     29: # Yes, but be very careful here (don't pass shell commands)
                     30: # and this is only supported to allow perl-system calls.
                     31: 
1.2       harris41   32: # Usage within code
                     33: #
1.3       harris41   34: # $exitcode=system("/home/httpd/perl/lcuserdel","NAME")/256;
1.2       harris41   35: # print "uh-oh" if $exitcode;
                     36: 
                     37: # These are the exit codes.
1.9     ! harris41   38: # ( (0,"ok"),
        !            39: #   (1,"User ID mismatch.  This program must be run as user 'www'"),
        !            40: #   (2,"Error. Too many other simultaneous password change requests being made."),
        !            41: #   (3,"Error. Only one line should be entered into standard input."),
        !            42: #   (4,"Error. This program needs just 1 command-line argument (username).") )
1.2       harris41   43: 
1.1       harris41   44: # Security
                     45: $ENV{'PATH'}=""; # Nullify path information.
                     46: $ENV{'BASH_ENV'}=""; # Nullify shell environment information.
1.2       harris41   47: 
                     48: # Do not print error messages if there are command-line arguments
                     49: my $noprint=0;
                     50: if (@ARGV) {
                     51:     $noprint=1;
                     52: }
                     53: 
1.3       harris41   54: # Read in /etc/passwd, and make sure this process is running from user=www
1.2       harris41   55: open (IN, "</etc/passwd");
                     56: my @lines=<IN>;
                     57: close IN;
                     58: my $wwwid;
                     59: for my $l (@lines) {
                     60:     chop $l;
                     61:     my @F=split(/\:/,$l);
                     62:     if ($F[0] eq 'www') {$wwwid=$F[2];}
                     63: }
                     64: if ($wwwid!=$<) {
                     65:     print("User ID mismatch.  This program must be run as user 'www'\n") unless $noprint;
                     66:     exit 1;
                     67: }
                     68: &disable_root_capability;
                     69: 
1.3       harris41   70: # Handle case of another lcpasswd process
                     71: unless (&try_to_lock("/tmp/lock_lcpasswd")) {
                     72:     print "Error. Too many other simultaneous password change requests being made.\n" unless $noprint;
                     73:     exit 4;
                     74: }
                     75: 
                     76: # Gather input.  Should only be 1 value (user name).
1.2       harris41   77: my @input;
1.3       harris41   78: if (@ARGV==1) {
1.2       harris41   79:     @input=@ARGV;
                     80: }
                     81: elsif (@ARGV) {
1.3       harris41   82:     print("Error. This program needs just 1 command-line argument (username).\n") unless $noprint;
1.9     ! harris41   83:     unlink('/tmp/lock_lcpasswd');
1.2       harris41   84:     exit 2;
                     85: }
                     86: else {
                     87:     @input=<>;
1.3       harris41   88:     if (@input!=1) {
                     89: 	print("Error. Only one line should be entered into standard input.\n") unless $noprint;
1.9     ! harris41   90: 	unlink('/tmp/lock_lcpasswd');
1.2       harris41   91: 	exit 3;
                     92:     }
                     93:     map {chop} @input;
                     94: }
1.4       harris41   95: 
                     96: my ($username)=@input;
                     97: $username=~/^(\w+)$/;
                     98: my $safeusername=$1;
                     99: 
1.5       harris41  100: &enable_root_capability;
                    101: 
1.4       harris41  102: # By using the system userdel command:
                    103: # Remove entry from /etc/passwd if it exists
                    104: # Remove entry from /etc/groups if it exists
1.8       harris41  105: # I surround with groupdel command to make absolutely sure the group definition disappears.
1.7       harris41  106: system('/usr/sbin/groupdel 2>/dev/null',$safeusername); # ignore error message
1.6       harris41  107: system('/usr/sbin/userdel 2>/dev/null',$safeusername); # ignore error message
1.8       harris41  108: system('/usr/sbin/groupdel 2>/dev/null',$safeusername); # ignore error message
1.4       harris41  109: 
                    110: # Remove entry from /etc/smbpasswd if it exists
1.5       harris41  111: my $oldsmbpasswd=`/bin/cat /etc/smbpasswd`;
                    112: my $newsmbpasswd=`/bin/grep -v '^${safeusername}:' /etc/smbpasswd`;
1.4       harris41  113: 
1.5       harris41  114: if ($oldsmbpasswd ne $newsmbpasswd) {
1.6       harris41  115:     open OUT,">/etc/smbpasswd";
                    116:     print OUT $newsmbpasswd;
                    117:     close OUT;
                    118: }
1.4       harris41  119: 
                    120: # Change ownership on directory from username:username to www:www
                    121: # This prevents subsequently added users from having access.
                    122: 
1.5       harris41  123: system('/bin/chown','-R','www:www',"/home/$safeusername");
1.3       harris41  124: 
                    125: &disable_root_capability;
                    126: unlink("/tmp/lock_lcpasswd");
                    127: exit 0;
                    128: 
                    129: # ----------------------------------------------------------- have setuid script run as root
                    130: sub enable_root_capability {
                    131:     if ($wwwid==$>) {
                    132: 	($<,$>)=($>,$<);
                    133: 	($(,$))=($),$();
                    134:     }
                    135:     else {
                    136: 	# root capability is already enabled
                    137:     }
                    138:     return $>;
                    139: }
                    140: 
                    141: # ----------------------------------------------------------- have setuid script run as www
                    142: sub disable_root_capability {
                    143:     if ($wwwid==$<) {
                    144: 	($<,$>)=($>,$<);
                    145: 	($(,$))=($),$();
                    146:     }
                    147:     else {
                    148: 	# root capability is already disabled
                    149:     }
1.2       harris41  150: }
                    151: 
1.3       harris41  152: # ----------------------------------- make sure that another lcpasswd process isn't running
                    153: sub try_to_lock {
                    154:     my ($lockfile)=@_;
                    155:     my $currentpid;
                    156:     my $lastpid;
                    157:     # Do not manipulate lock file as root
                    158:     if ($>==0) {
                    159: 	return 0;
                    160:     }
                    161:     # Try to generate lock file.
                    162:     # Wait 3 seconds.  If same process id is in
                    163:     # lock file, then assume lock file is stale, and
                    164:     # go ahead.  If process id's fluctuate, try
                    165:     # for a maximum of 10 times.
                    166:     for (0..10) {
                    167: 	if (-e $lockfile) {
                    168: 	    open(LOCK,"<$lockfile");
                    169: 	    $currentpid=<LOCK>;
                    170: 	    close LOCK;
                    171: 	    if ($currentpid==$lastpid) {
                    172: 		last;
                    173: 	    }
                    174: 	    sleep 3;
                    175: 	    $lastpid=$currentpid;
                    176: 	}
                    177: 	else {
                    178: 	    last;
                    179: 	}
                    180: 	if ($_==10) {
                    181: 	    return 0;
                    182: 	}
                    183:     }
                    184:     open(LOCK,">$lockfile");
                    185:     print LOCK $$;
                    186:     close LOCK;
                    187:     return 1;
                    188: }
1.2       harris41  189: 
1.1       harris41  190: 

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>